O2 customer data is being sold by cyber criminals on the dark web, a report by the BBC claims.

The Victoria Derbyshire program says it was shown adverts for the data by an ‘ethical hacker’, with the contents believed to be from the hacking of gaming website XSplit in 2013. Log-in details from that breach were matched with O2 accounts in a practice called “credential stuffing”, where the same details are used to try and log in to multiple websites.

Among the details for sale were phone numbers, email address and passwords, though O2′s own security was not breached as part of the process.

The dark web is a subsection of the internet that can only be accessed via specialised software and is used for a large number of illegal activities, including the sale of stolen data and drugs.

O2 said in a statement that it was aware of the situation and had notified police.

“We have not suffered a data breach,” the telecoms firm said.

“Credential stuffing is a challenge for businesses and can result in many company’s customer data being sold on the dark net.

“We have reported all the details passed to us about the seller to law enforcement and we continue to help with their investigations.

“We act immediately if we are given evidence of personal credentials being taken from the internet and used to try and compromise a customer’s account. We take fraud and security seriously and if we believe a customer is at risk from fraud we inform them so they can take steps to protect themselves.”

Computer security experts say the incident is further proof that username and password systems alone are not enough to protect consumers, particularly those who use the same details across multiple sites.

James Romer, chief security architect Europe for cyber security firm SecureAuth said: “The O2 data leak must be a stark wake up call for businesses who continue to rely on traditional username and password authentication alone. We all know that using the same password-username credentials across multiple sites is a bad idea, yet it still happens far too often.

“Bad actors are taking advantage of this laissez faire attitude, trying stolen credentials not just on one site but a number, even employing botnets which automate the process.

“Organisations must move away from the current reliance on a single point of authentication to multi-factor, or even better, continuous authentication.”